As of October 1st, 2019, Visa, the world’s largest card organisation, is updating its fraud and chargeback monitoring policy. Will it affect you? If you accept cards online – it certainly will. Should you be concerned? Not necessarily, if you have a well-thought risk management strategy, a slight refinement of it should get the job done. If, however, you do not yet have any fraud prevention mechanisms on board, you better hurry up in getting some.
Visa, the world’s largest card organisation serving more than 323 million cardholders on all continents, is updating its fraud and chargeback monitoring policy. The changes will be effective as of October 1st, 2019, and may deeply affect some online merchants, especially those operating in high-risk industries, such as travel, online video games, betting/gambling, pharmaceuticals, dating or adult entertainment. Nonetheless, new rules might affect any merchant accepting Visa cards. This short entry is meant to help you understand the current state of fraud and chargeback monitoring, the nature of policy changes and, more importantly, how to effectively prepare your business for the new thresholds by implementing a viable risk management strategy that will help in fulfilling the requirements.
What are frauds and chargebacks?
Payment fraud is any unauthorised card transaction, carried out in whatever channel. Card-present fraud, the offline type, usually occurs at retail outlets and ATMs. However, it is the online one that we will focus on in this post. Europol defines card-not-present fraud as unauthorised use of credit or debit data (the card number, billing address, security code and expiry date) to purchase products and services in a non-face-to-face setting, such as via e-commerce websites or over the telephone. In the majority of cases, the victims are unaware of the unauthorised use of their cards, which remain in their possession. It is a low-risk, high-profit criminal activity. That is until the customer realises that they have been robbed. At this point, every fraud victim is entitled to file for a chargeback.
Chargeback is the return of funds to a customer, initiated by the issuing bank of the instrument. Specifically, it is the reversal of a prior unauthorised (fraudulent) outbound transfer of funds from a consumer's bank account, a line of credit, or credit card. Apart from the reimbursed amount, chargebacks involve additional fees and may lead to merchant account closure. Chargebacks are designed to improve the customer experience by building trust in online card payments.
All card organisations have instruments in place to oversee and record merchants who receive excessive amounts of fraud or chargeback disputes. In case of Visa, these monitoring bodies are VFMP (Visa Fraud Monitoring Program) and (VCMP) (Visa Chargeback Monitoring Program). Each merchant is under scrutiny and each fraud case/chargeback dispute is being held in their database to effectively create a merchant score. The programs are designed to address the increasing problem of online fraud and prevent customers from distrusting online payment systems.
What is the current state of chargeback monitoring? How will it change?
Both VFMP and VCMP have monthly compliance thresholds set up for merchants to monitor businesses experiencing excessive fraud attacks. As Hubert Rachwalski, CEO of a leading online fraud detection provider Nethone points out, if the merchant gets listed on MATCH (Member Alert to Control High-Risk Merchants), it is basically impossible for them to open an account with a new PSP as long as they are on the list. MATCH’ed or not – merchants who are monitored for frauds and chargebacks might face higher fees and less flexibility. While it is a headache for companies of all sizes, for the smaller ones it can quickly imply problems with the liquidity of their resources.
At the moment, VFMP’s standard thresholds for listing merchant accounts on MATCH are satisfied, when the seller exceeds both of the values below for several consecutive months:
- USD 75 000 fraud amount;
- 1% fraud-dollar-to-sales-dollar ratio.
With VCMP, the standard thresholds focus on the number of chargeback disputes, rather than the amount of fraud. Again, listing on MATCH is enforceable once the seller exceeds both of the values below for several consecutive months:
- 100 chargeback dispute count;
- 1% ratio of disputes-to-sales-transaction count.
As of October 2019, new, tighter thresholds will result in adjustments in the above-mentioned ratios.
New VFMP Standard threshold:
- USD 75 000 fraud amount;
- 0.9% fraud-dollar-to-sales-dollar ratio.
New VCMP Standard threshold:
- 100 chargeback dispute count;
- 0.9% ratio of disputes-to-sales-transaction count.
Standard VFMP and VCMP thresholds are not the only ones being tightened. In fact, all Visa thresholds are changing, for instance the VFMP Early Warning (from 0.75% fraud-to-sales-dollar to 0.65%), VCMP Excessive (from 2% disputes-to-sales-transactions to 1.8%) and, most notably, Visa Acquirer Monitoring Program threshold – a similar instrument designed to monitor acquiring banks (from 1% sales-to-chargeback ratio to 0.75%). The latter means that acquirers will be more cautious in onboarding high-risk merchants, in fear of approaching the new tighter threshold.
What are the implications of the new anti-fraud policy?
0.1% doesn’t seem like a lot, does it? However, some industries, particularly the high-risk sectors, such as adult goods, online gaming, gambling, online pharmacies, e-cigarettes and a plethora of travel services, will be deeply affected by this seemingly insignificant 0.1%. But it is no longer only about the high-risk businesses – along with the rapid growth of ecommerce worldwide, the tightening of fraud thresholds may instigate fear across a wide variety of industries. We asked Nethone to explain the implications of the new Visa policy:
“Merchants with fully implemented chargeback mitigation strategies are not in the first line of danger – however, they might be under closer scrutiny. Merchants who are currently dangerously close to 1% threshold, after the changes, will fall into chargeback monitoring programmes with a danger of being listed on MATCH.” – says Hubert – “They will be primarily hit by much higher fees imposed by third-party processors. The tightened threshold will increase the number of penalties for merchants who unsuccessfully set their risk management strategies. Soon, the stricter Visa rules will be followed by cautious acquirers who will introduce their own requirement – letting go some of merchants that do not comply with the new policies.”
Merchants exceeding the threshold consecutively for several months are flagged as non-compliant on the MATCH list. This can trigger a Non-Compliance Assessment, linked to a fine. Depending on the threshold exceeded and non-compliance severity, merchants may be forced to pay fees ranging from $50 per chargeback, and up to $75.000 in monthly non-compliance fees. Of course, that’s on top of the reimbursement owed to the victims of fraudulent transactions.
How to prevent exceeding the new fraud thresholds?
All merchants, especially those operating in high-risk sectors, should work closely with acquirers to develop effective risk control strategies, capable of matching the tightened monitoring thresholds. With the constant evolution of fraud techniques, the rising volume of fraudulent transactions and an ever-growing number of fraud victims, it is necessary for businesses to deploy payment gateways equipped with anti-fraud tools mitigating the risk. Nowadays, machine learning is there to help. Top-grade AI-based FDP solutions deploy predictive models designed to prevent fraud before it even happens. In the old days, payment providers would supplement their solution with a set of logics that would trigger a transaction denial in certain cases. But as scammers evolve, so does the technology necessary to effectively fight payment fraud. As Hubert explains:
“Using the full potential of data, merchants can shed light on the whole purchasing process and make predictions as to which customers are making purchases with fraudulent intentions. However, most often, merchants know about their customers only as much as they choose to tell them. Hence, it is necessary to use tool that reveal more information about each user. The process of picking up data and discovering patterns between variables unrelated at first glance – it serves as an effective tool in detecting fraud risk. Due to the volume and the complexity of data, machine learning is the most useful analytical tool.”
Machine learning is capable of making a judgement on whether or the transaction is fraudulent or not. This not only leads to 80% lower fraud and chargeback rates, but also helps in protecting business’s bottom line by reducing the “false positives” – legitimate customers erroneously flagged as fraudsters (for instance, users with a new mobile device browsing from an unusual holiday location).
Besides top-notch ML-based FDP systems, merchants who know that the 0.1% change might cost them, should consider switching into a payment gateway offering a from-issuer fraud alert system. It provides merchants with real-time updates on red-flagged cards – used by fraudsters in recent days or hours anywhere in the world. This solution can help twofold: primarily by preventing acceptance of risky cards, secondly – by allowing merchants to refund fraudulent transactions before they turn into chargebacks.
Visa’s new rules will be effective as of 01.10.19 and will affect all merchants, especially those operating in the high-risk sectors. The most notable changes are in the ratios of fraud-dollar-to-sales-dollar and disputes-to-sales-transactions, across all threshold categories: Early Warning, Standard and Excessive. Standard thresholds, currently set to 1%, will be tightened to 0.9% as of October 1st. Along with VFMP and VCMP thresholds evolving, Visa’s instrument designed to monitor acquirers (VAMP) is tightening its thresholds too, meaning PSPs will be more cautious in accepting high-risk merchants.
Is that a reason to panic? Not at all! It is a reason to re-think the risk management strategies currently in operation, or, in most severe cases, deploy completely new mechanisms. Only merchants without comprehensive risk management strategies have a reason to worry. When working on the strategy to reduce fraud and chargeback rates it is best to utilise the latest technological developments to your advantage. To effectively fight fraudsters and prepare for the new rules, choose a payment provider who offers top-grade, AI-based fraud detection and prevention tools as well as alert systems supported by card issuers and clear risk management analytics.
Click here to learn more about Straal’s suite of payment solutions with FDP mechanisms included.